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Dear BSD Readers, , ee 
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We, the BSD team, would like to wish you continuous prosperity, 
development and success as well as good health and happiness to you 
and your loved ones. | 
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OG Configuring a Highly Available Service 
on FreeBSD — part 2: CARP and devd 
Jeroen van Nieuwenhuizen 

In the first part of this series, we learned how to make 
high availability (HA) storage on FreeBSD using HAST. 
We learned how to control HAST and how to recover 
from failures. However, all those actions were still manual 
actions. In this second part of the series, Jeroen will teach 
how two basic building blocks, CARP and devd, work and 
how we can use them in the final part of our series to 
automate the failover of our NFS server. 


10 FreeBSD Programming Primer — Part 11 
Rob Somerville 

In the penultimate part of our series on programming, Rob 

will look at using the Netbeans Integrated Development 

Environment to debug and edit our CMS. 
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144 Unix Basics —- for Security Professionals 
Ramkumar Ramadevu 

Unix is the widely known multi-user and multitasking 
operating system that exists in many variants (e.g. Solaris, 
Linux, UX, AIX ...etc), and for serves mission critical server 
environments around the world. Ramkumar provides the 
basics of Unix Operating systems while discussing how 
UNIX addresses the above security challenges. 


= Olntroduction to Unix Kernel 
Mark Sitkowski 

It is usually a source of wonderment to PC users that the 
whole of the Unix operating system is in one executable. 
Instead of a hodge-podge of DLL's, drivers, and various 
occasionally-cooperating executables, everything is done 
by the Unix kernel. When Unix was first introduced, the 
operating system was described as having a ‘shell’, or user 
interface, which surrounded a ‘kernel’ which interpreted 
the commands passed to it from the shell. 


Let’s Talk 


<= OOpenBSD 5.4 as a Transparent HTTP/ 
HTTPS Proxy 
Wesley MOUEDINE ASSABY 
Wesley in his article will teach you how to configure Relayd 
for URL Blocking with https inspection and how to use and 
understand Packet Filter. 


www.bsdmag.org 


<3 <4GhostBSD: A User-friendly, Lightweight 
BSD Alternative 


Adrian J. Panunzio 
GhostBSD is an open source desktop operating system 
based on FreeBSD which aims for a secure, user-friendly 
experience out of the box. GhostBSD comes with most 
common software choices already configured, giving the 
user a solid BSD installation out of the box. Adrian will tell 
you why he chose FreeBSD OS. 


security 
<3 GHow Secure Can Secure Shell (SSH) Be? 


Arkadiusz Majewski 

To begin, let’s concentrate on the One Time Password 
(OTP). We are going to achieve our already secure SSH 
in conjunction with OTP for remote system connections. 
At first, in algorithmic meaning, OTP is a character string 
which should never repeat. Arkadiusz, in his article, 
demonstrates configurations as well as tricks that make 
using the protocol more secure. 


Column 


444 OPINION: With the UK government 
in collusion with the major search 
engines to censor 100,000 search 
terms to prevent child abuse, is the UK 
joining the ranks of the technological 
fascists? 
Rob Somerville 
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Configuring a Highly 
Available Service on 


FreeBSD 


— Part 2: CARP and devd 


In the first part of this series, we learned how to make high 
availability (HA) storage on FreeBSD using HAST. We learned 
how to control HAST and how to recover from failures. 
However, all those actions were still manual actions. In 

this second part of the series, we will learn how two basic 
building blocks, CARP and devd, work and how we can use 
them in the final part of our series to automate the failover 


of our NFS server. 


What you will learn... 
- How to configure CARP on FreeBSD 
¢ How to use devd to take action on kernel events 


C ARP stands for common address redundan- 
cy protocol and makes it possible to share an 
IP (IPv4 and/or IPv6) address between multiple 
hosts in so called ‘redundancy groups’. The IP that is 
shared between the hosts in the redundancy group re- 
sides on the master host for that group. In case the mas- 
ter goes down, the other members (backups) in the re- 
dundancy group will elect a new master. This master will 
then ‘take’ the shared IP. 

That, of course, sounds nice, but how does that help 
us? Well, to implement our failover NFS service, we need 
an IP address for this service to reside on the host that 
will service the NFS requests. The host that will service 
the NFS request would be the primary HAST node. Also, 
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What you should know... 

¢ How to login to FreeBSD 

¢ How to edit files on FreeBSD 

- Basic understanding of network configuration 
« The nfs-01 and nfs-02 machines from part 1 


in case of a HAST failover, we would like the service IP to 
switch to the new primary HAST node. So, if we are able 
to keep the CARP master state and the HAST primary 
state in sync with each other, we would always have the 
shared IP, which we can use for the NFS service, on the 
host that is the primary HAST node. 


How to configure CARP 
CARP can be configured by using the ifconfig command 
as described in listing 1. Note that in our example, setup 
nfs-01 will have the IP 192.168.254.1 and nfs-02 will have 
the IP 192.168.254.2. Both with a /24 netmask. 

The first command for nfs-01 in Listing 1 creates a carp 
interface called carp0 on that host. The second command 
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configures this newly created carp0 interface with the cor- 
rect parameters. The first parameter vhid is the virtual 
host ID, which uniquely identifies the redundancy group 
on the network and therefore should be the same on all 
hosts in the same redundancy group. In our example, we 
use a vhid of 1. The second parameter pass is used to au- 
thenticate the carp advertisements and is in our case set 
to bsdmag. This parameter should also be the same on all 
hosts in the same redundancy groups. Although the pass 
parameter is optional, it is wise to set it, otherwise ma- 
chines not part of the redundancy group can easily send 
out bogus carp traffic to disrupt our redundancy group. 
The third parameter is advbase, which specifies the base 
advertisement interval in seconds. These advertisements 
are needed to determine if the master is still up and if 
not to elect a new master. The fourth parameter advskew 
is closely related to the advbase parameter; when set, it 
adds a small amount of time to advbase so that adver- 
tisements are sent out a little less frequently than speci- 
fied by advbase. This fourth parameter differs in our ex- 
ample for nfs-01 and nfs-02. It is higher for nfs-O2 so that 
nfs-01 will become the master if both hosts come online 
at the same time, because nfs-01 will send out its adver- 
tisements more frequently. The last parameter specifies 
the shared IP to use and the network it resides on. In our 
case, the shared IP is 192.168.254.100 with a /24 net- 
mask. This IP will become active on the master on the 
interface that is in the same network as specified for the 
carpO interface. If, for example, nfs-01 is the master, the 
shared IP 192.168.254.100 will become available on the 
same interface as 192.168.254.1 as that interface is in the 
same network. 


Listing 1. configuring CARP on our hosts 


nfs-Ol1# ifconfig create carp0 
nfs-01# ifconfig carp0 vhid 1 pass bsdmag advbase 1 
advskew 10 192.168.254.100/24 
Mnis-Uil- i heonig scarp 0 
carp0: flags=49<UP,RUNNING> metric 0 mtu 1500 
met 192,168,254.) netmask Oxtrrirrod 
carp: MASTER vhid 1 advbase 1 advskew 20 
nfs-O02# ifconfig create carp0 
nfs-O02# ifconfig carp0 vhid | pass bsdmag advbase 1 
advskew 20 192.168.254.100/24 
(eS Us. ieee) weenie’, 
carp0: flags=49<UP,RUNNING> metric 0 mtu 1500 
inet 192.168.254.272 netmask OUxririrrod 
carp: BACKUP vhid 1 advbase 1 advskew 10 


www.bsdmag.org 


The third command not only shows us the configura- 
tion of our carpO interface, but also shows whether the 
interface is in the master or in the backup state in the line 
starting with carp: Note that the password used is not vis- 
ible. The configuration of the carpO interface on the nfs- 
02 is analog to the configuration of the carpO interface on 
the nfs-01 with the earlier mentioned difference of the ad- 
vskew parameter. 


Making CARP reboot proof 

Now that we know how to configure CARP, we want to 
make sure that our configuration becomes reboot proof. 
This can be done by adding a few lines to /etc/rc.conf. 
In Listing 2 you can find the lines we would need to add 
tO /etc/rce.conf on the nfs-01 server. The first line makes 
sure our carp0 device will be created on boot. The second 
line configures the carpO interface and is identical to the 
parameters we passed to the ifconfig command for carp0 
earlier. It is left as an exercise for the reader to find the 
correct configuration for the nfs-02 server. 


Listing 2. Making the CARP configuration reboot proof on nfs-01 


cloned intertaces= caro)” 
ifconfig carp0O="vhid 1 pass bsdmag advbase 1 advskew 10 
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Testing CARP 

After we have made our CARP configuration reboot 
proof, it is good to perform some basic tests to see 
whether the failover of the shared IP works as expect- 
ed. First we will force a switch of the shared IP from our 
current master (nfs-01) to nfs-O2. When that is complete 
and nfs-02 has indeed become the new master we will 
force the master back to the nfs-01. In addition to testing, 
the commands in listing 3 that describe these actions are 
also useful in the case when a manual switch has to be 
forced. Please be especially aware of the host you have 
to execute the commands on to trigger the failover. An 
important note to make is that in case you are building 
this setup on a virtual platform, broadcast traffic should 
be allowed for the virtual machines or CARP won't work. 
Allowing broadcast traffic is not the default setting for all 
virtualisation solutions. 


What is DEVD? 

Devd is the device state change daemon and it is a sys- 
tem daemon that runs in the background and hooks in- 
to the devct! device driver. When a change occurs in the 
device configuration tree, this device driver will pass this 
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information to devd. Devd will parse this message and will 
look into its action list for an action to execute. This way 
devd provides a way to have userland programs run when 
certain kernel events happen. The default configuration 
file for devd is /etc/devd.con£. By default this file includes 
the options to also scan the /etc/devd and /usr/local/ 
etc/deva directories for devd configuration files. 


Listing 3. Testing the CARP failover 


Moving the master from nfs-01 to nfs-02 (commands 
executed on nis=01) 

nes-Ol# 1tcontig caro” down 

Masa Ui seeComiig team OU i> 


Checking the status on both hosts (commands executed 
on nfs-01 and nfs-02) 

hiso- Ol ise omnG scans 0 

Hrs=-02> Thcontig earev 


Moving the master from nfs-02 to nfs-01 (commands 
execuLed On nirs=02) 

nis-02% Lieconhg carp”) down 

nis-02F Greonngicareu up 


And again checking the status on both hosts (commands 
execuined om mis-00 and mes—02) 

nes-Ol+ Liconig carol 

nis-U2+ Tfecontig carpo 


Devd syntax 

To explain the syntax of devd we will make a slight side 
step by looking at the devd configuration shown in Listing 
4. What this configuration does is log a message to syslog 
when a USB device is attached. Let’s inspect this configu- 
ration a little bit further. The first line notify O indicates that 
an action should be taken when the kernel sends an event 
notification to the user land. The priority of this rule is 0. 
This priority is used to decide which action to take when 
more than one rule matches. If more than one rule match- 
es the rule with the lowest number is executed. To restrict 
the cases in which our action will be executed we use the 
match clauses on line 2 till 4 to restrict it. Line 2 matches 
the event message against the system it is coming from, 
in this case the USB system. So all events that are not 
from the USB system will not trigger the action. The next 
line restricts the action to a subsystem of the USB sys- 
tem. In this case it is the interface subsystem, so the event 
should come from a USB interface to trigger our action. 
The last match rule of Listing 4 restricts the type of event, 
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in this case the attachment of a device. Last but not least, 
we have line 5, which specifies the action to execute. In 
this case we log a message to syslog to notify us that a 
USB device has been attached, but an action line can call 
every command you like. More information about all the 
systems, subsystems, types and action you can handle 
with devd can be found in the devd.conf manual page. 


Listing 4. A devd configuration for USB events 


MOtdet 10,21 
match “system” MUST e 
match “subsystem” “INTERFACE” ; 
match “type” “ATTACH” ; 


action “logger USB device attached” ; 


Listing 5. Configuring devd for CARP 


hociriy 30) { 
match “system” SIUIRINER EM 2 
match “subsystem” “carp*” ; 
match “type” ENSUE, 


action “logger -t bsdmag Ssubsystem device is 


Ui: 
} ; 
Nowe y 304 
match “system” MALIN eg 
match “subsystem” “carp*” ; 
Haven eyoe™ “LINK DOWN” ; 


action “logger -t bsdmag Ssubsystem device is 


DOWN” ; 


Configuring devd for CARP 

Now that we have a basic grasp of how to use devd to 
take actions on kernel events we can start to configure 
devd to handle events originating from our CARP interfac- 
es. In listing 5 we see a configuration that will log to sys- 
log when we receive a LINK_DOWN or a LINK_UP event 
from our carpO interface. Because a CARP device is a 
network system, the system we have to use in our match 
rule is IFNET. Noteworthy is the wildcard match we use 
in the subsystem, hence the action will run for an event 
on any carp interface that matches the type. To separate 
between the link going up and the link going down we cre- 
ated 2 statements, one for the LINK_UP and one for the 
LINK_DOWN event. Also interesting is the action line we 
use. Again, we use /ogger to log a message to syslog, 
but we also use the $subsystem variable available to log 
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the exact subsystem that the event came from, so in the 
log we will see which interface generated the event. By 
putting the configuration from Listing 5 in /etc/devd/hast. 
conf and by restarting devd with service devd restart we 
make sure it will be used by devd. 


Testing of our devd configuration is more or less analog 
to the initial testing of our CARP configuration, so we can 
use the commands from listing 3 again. However, to see 
if our devd recipe for CARP worked, we should not only 
check the status of our carp0 interface with ifconfig carpO, 
but also check /var/log/messages to see if the log mes- 
sages we configured in listing 5 are indeed written to the 
syslog correctly, so we are sure devd is configured cor- 
rectly. Take good note of when a CARP interface sends 
the LINK_UP type and when it sends the LINK DOWN 


type of event. You will see that the CARP interface sends 
the LINK _UP message via devd only when it becomes 
the master and the LINK DOWN message when it goes 
down and when it becomes the backup. 


In this second part of the series we introduced CARP and 
devd. We learned how to configure CARP, and how to 
make an IP highly available with it. We also learned what 
devd is and how to take actions on kernel events by us- 
ing devd. Especially, we learned how to run a script from 
devd in case of a CARP failover. Now that we know how 
to configure HAST, CARP and devd we can put all these 
building blocks together in the final part of our series in 
which we will create the highly available NFS server and 
the failover script to call from devd. 


Questions received from readers 


During the filesystem check HAST is of course unavail- 
able. But you really should do this check, to be sure your 
filesystem is in a consistent state. Otherwise you might 
run into problems later that cause much more downtime 
than the filesystem check would take. To reduce the time 
spent filesystem checking, it is also good practice to al- 
ways use a journaling filesystem on your HAST devices. 
One important point to keep in mind is also that highly 
available does not mean always available, so yes, in case 
of a node failure you probably will have some downtime, 
but significantly less than when you would need to rebuild 
your machine and restore from backup. Also your data- 
loss will probably be significantly less. 


In that case you should probably look into gluster (RedHat 
Linux), LustreFS or CEPH, which are clustered/distributed 
filesystems but all have a focus on Linux unfortunately. 


JEROEN VAN NIEUWENHUIZEN 

Jeroen van Nieuwenhuizen works as a unix consultant for Snow. Be- 
sides playing with FreeBSD, his free time activities include cycling, 
chess and ice skating. 
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FreeBSD Programming 
Primer —- Part 11 


In the penultimate part of our series on programming, we 
will look at using the Netbeans Integrated Development 
Environment to debug and edit our CMS. 


What you will learn... 
- How to configure a development environment and write HTML, 
CSS, PHP and SQL code 


at the moment so this how-to is going to be very 

short. My local telco is currently rolling out fibre in 
the area, and my ADSL internet connection is very unreli- 
able, but hopefully | will be able to wrap up the program- 
ming primer in part 12 with a bumper edition. 

While debugging at the command line using echo state- 
ments or commenting out code is possible, a more fre- 
quent scenario is that our project will be residing on a re- 
mote server and we will need to see the actual processes 
in action. Often developers will have a local copy of the 
LAMP stack on their PC or laptop, so that they can de- 
bug locally. However, what happens when our develop- 
ment environment is on a laptop and the code is on a re- 
mote server? A frequent approach is to use an Integrated 
Development Environment (IDE) with a built in file trans- 
fer utility. Coupled with Xdebug, which supports PHP, we 
can download our remote code and debug (step through) 
each line, examine variables etc. To do this, we will need 
to install Xdebug on our server and install the IDE of our 
choice on an available local PC. This can be FreeBSD, 
Windows or Linux, but in my case | was using an Ubuntu 
desktop. The IDE installation will vary from environment to 
environment, full details can be found at hittps://netbeans. 
org. The IP address of of my desktop PC for this exercise 
was 192.168.0.123. 


nfortunately, the Internet gremlins have got me 


Installing Xdebug 

Rather than using the FreeBSD provided software, | 
downloaded the latest version from hittp://xdebug.org. 
The reason for this is that in the past | have had prob- 
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What you should know... 


« BSD and general PC administration skills 


lems getting the standard packaged version of Xdebug 
working with certain distro’s, where as the latest Xdebug 


Listing 1. /nstall Xdebug 


tar =xvzr xdebug=Z.7 73.2072 
ed xdebug-2Z a7.) 
phpize 


./configure -enable-xdebug 


make 


cd modules 


cp xdebug.so /usr/local/lib/php/20100525/ 
touch /var/log/xdebug.log 
chmod 666 /var/log/xdebug.log 


touch /user/local/etc/php/xdebug.ini 


Listing 2. /user/local/etc/php/xdebug. ini 

zend extension=/usr/local/lib/php/20100525/xdebug.so 
OLSIOIIC). Ieee Sigel S— Il 

ROShug weenetevaost— V7.2 los 0e boy 

Reb seine te ort 000 

xcdebugarenore heandler— dogp 

xdebug. Hemoue mode-reg 


xcebug.pmoihker jenao le == wl 


xdebug.remote log=/var/log/xdebug.log 


Listing 3. Restarting Apache 


/usr/local/etc/rce.d/apache22 stop 
/usr/local/ete/re.d/apache22 “start 
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and latest Netbeans IDE always seem to work OK togeth- 
er. Once you have downloaded the latest version of the 
tarball (Currently xdebug-2.2.3.tgz) into your home direc- 
tory, on the remote server (192.168.0.118) as root, per- 
form the following (Listing 1). 

Add the following to /user/local/etc/php/xdebug.ini 
(Listing 2). 

Replace 192.168.0.123 with the IP address of your cli- 
ent machine. 

Restart Apache (Listing 3). 

lf we now login as admin and visit our PHPinfo page at 
http:/192.168.0.118/ohpinfo.php, we should see that Xde- 
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Figure 2. Create a new project with PHP application on remote server 
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bug is installed and running (Figure 1). If you have not al- 
ready done so, download and install Netbeans on a local PC 
of your choice. You will need a working Java installation and 
Firefox installed for this to work. 
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Figure 5. Create a new SFTP connection (SSH must be running on Port 
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Useful links 
¢« Xdebug: http://xdebug.org 
« Netbeans: http://php.net/manual 
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plan, you should be able to step through your code by 
pressing F/, and interrogate variables by hovering over 
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there is some mis-communication between Netbeans and 
the server. See xdebug.log for further details. 
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ROB SOMERVILLE 


Rob Somerville has been passionate about technology since his early teens. 
A keen advocate of open systems since the mid-eighties, he has worked in 


eho) BED cichh [concel) ti many corporate sectors including finance, automotive, airlines, government 

and media in a variety of roles from technical support, system administrator, 

Figure 8. The final settings of the remote project. Replace with your developer, systems integrator and IT manager. He has moved on from CP/M 
server IP address as required and nixie tubes but keeps a soldering iron handy just in case. 
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Faster. 
Better. 


Reliable. 
Trusted by over 500 ISPs worldwide. 


Hyper is the first multimedia cache fully developed in Brazil, by Taghos. 
With Hyper, ISPs can save on network Dandwidth while increasing 
content-delivery speeds, resulting in end-customer satisfaction. 


Features: 

- 24x7X365 always-on support 

- Active monitoring 

- Automatic updates 

- Appliance or license 

- Easy deployment 

- Configuration and reports via 
web interface 
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Remote Instal| Up to 2 Gbps 24x11B 3x 480 GB 


13000 Up to 3 Gbps 128 GB 32x 1 1B 5x 480 GB 


Using your hardware 


Visit us at WWw.taghos.com and start saving bandwidth today! 


UNIX 


Unix Basics — 


for 


Security Professionals 


Unix is the widely known multi-user and multitasking 
operating system that exists in many variants (e.g. Solaris, 
Linux, UX, AIX ...etc), and for serving mission critical server 


environments around the world. 


What you will learn... 
¢- Howto provide a secure and reliable environment to the users 
¢« How UNIX addresses the security challenges 


ity to provide a secure and reliable environment to 

its users. Just like any other multi-user networking 
operating system, Unix also has two important Security 
Challenges to deal with, and they are: 


B eing a multi-user system, Unix has the responsibil- 


1. Maintaining UNIX Internal security 


Security Challenge 1 - Maintaining Internal Security 


: Data Resources 


Figure 1. Maintaining UNIX Internal security 


2. Defending UNIX Server Environment from External 
Threats 
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What you should know... 
« Unix basics 
« Unix core components 


_ security Challenge 2 - Defending from External Threats 


Unix Network Environment 


Unix Server 


Figure 2. Defending UNIX Server Environment from External Threats 


What can you expect from this article? 

This article intends to provide the basics of Unix Operating 
systems while discussing how UNIX addresses the above 
security challenges. This is not a complete UNIX command 
by command tutorial, but rather a bird’s eye view of overall 
Unix Operating system functions in simple terms. To begin, 
Unix-like operating systems are composed of several core 
components that are packaged and function together to 
deliver certain services to the Unix end-user. The diagram 
below gives you an overall picture of UNIX core compo- 
nents and their interconnection with other components. 


12/2013 


Unix Basics — for Security Professionals 


Kernel 

The source code of a Unix system that performs major 
operating system functions and also directly interacts with 
the server hardware with the help of sub-components like: 


¢ Dev -— Contains Device Drivers to control the hardware 

¢ Sys — Handles key Operating system functions like 
memory management, process handling and system 
calls etc. 


User Interface Environment 
Users’ interaction with the Unix operating system hap- 
pens in several ways as Classified below: 

Shell Interface: Shell is a programmable command line 
interpreter which acts as a primary interface between the 
user and the Unix operating system. In the Modern Unix 
world there are several types of shell interfaces available, 
e.g. BASH, CSH, KSH, etc. 


System and User Utilities — These are the tools which are 
provided for additional functionality of the Unix operating 
system, e.g. disk management tools like format, fdisk, etc. 


Development Environment 

UNIX provides built-in development tools to recreate the 
majority of the operating system from the source code, 
e.g. CC, as, Id, make, etc. 


Key Functionalities of UNIX Operating systems 
Unix Users & Groups 

Now it’s time to discuss 6 key functionalities of Unix that 
help us understand “How Unix addresses security chal- 
lenges” as we discussed earlier in this article. Unix clas- 
sifies its users into two categories, the first being super 
users who have complete privileges on the entire Unix 
operating system and the second being regular us- 
ers who have privileges to access their own data and 
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Management Management Memory 
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Figure 3. UNIX core components 
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resources only. Groups act as containers for users who re- 
quire equal privileges on the same set of data and resources. 

From the Security point of view, “Unused User accounts” 
is one of the areas that we continuously audit and disable if 
any unexpected user accounts are found. UNIX maintains 
its local user account database in three files: /etc/passwa, 
/etc/shadow and /etc/group. When working in an enter- 
prise network environment, Unix is used to maintain a cen- 
tralized user account database using NIS, NIS+ or LDAP. 

Unix Allocates UserlD (UID) to every User, and by de- 
fault Super user accounts will have the UID of 0. For ex- 
ample, UNIX designates some users as system default 
users; they will be assigned with the Specific range of 
UIDs and normal users with a different range of UIDS. For 
example, in the Redhat Linux system default users will get 
UIDs < 500 whereas normal users will have a UID > 500. 
Here are a few steps to trace out unwanted/unexpected 
user accounts. 


1. Look in /etc/passwa for new accounts in sorted list by 
UID: 


# sort -nk3 -t: /etc/passwd | less 
Normal accounts will be there, but look for new, unex- 
pected accounts, especially with UID < 500. 

2. Also, look for unexpected UID O accounts: 


# egrep ‘:0+:’ /etc/passwd 
3. On systems that use multiple authentication methods: 
# getent passwd | egrep *‘:0t:’ 


Unix Files, Directory and File Systems 

In brief, files are used to store the data (in different for- 
mats like ascii format, binary format, etc.), whereas direc- 
tories act as containers to group all related files in a single 
location, for easy maintenance of data. The File System is 
a structure that explains how the information is stored and 
retrieved from the Unix system. 

Unix users access files for read, write and execute pur- 
poses. And Unix gives us the flexibility to assign these per- 
missions to the file owners, groups and others individually. 

Each file in Unix will have its own access control infor- 
mation, called Inode information, along with the actual 
data. Inode data (also referred to as file metadata) helps 
us to identify file type, file permissions for owner, group 
and others, file owner, file group, file size, file modification 
date, file modification time, etc. We can see the informa- 
tion with the command below: 
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# 1s -l unixfile 


drwxr-xr-x- 2 unix system 4096 Sep 27 23:38 unixfile 


Inode Block Information ( Unix File Meta Data ) 


drwxr-xr-x- © fileowner filegrp 4076 Sep 27 23:38  unixfile 


Bad a BG@addéi dg 
) 


File Name 
File Medification Time 
— File Modification Dale 
> File Size in 5126 Blocks 
(rou 
Owner 
No. Of Links / Instances 


— c File PeHrriissicwnis © WAN 


rlelypes:-,d.1,.p5%c¢,6 


Figure 4. Inode Block Information 


In addition to regular access privileges, Unix also pro- 
vides two additional ones — SUID and SGID, which allow 
users to run executable programs with owner and group 
permissions. From the security point of view, it is impor- 
tant to audit the system regularly to check if there are un- 
expected root owned files that are assigned with these 
additional privileges. To find unusual SUID root files, use 
the following command: 


# find / -uid 0 -perm -4000 -print 
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and also look for files named with dots and spaces (“...”, 


the’. “,”. “, and “ “) used to camouflage files: 
# find / -name “ “ -print 

# find / -name “.. “ -print 

# find / -name “. “ -print 

# find / -name “ “ -print 


Unix Directory Structure 

Unix maintains its entire information in a hierarchical tree 
form and the base of the tree is called the root (/) direc- 
tory. Most Unix variants use this as the home directory of 
Super user accounts. Unix classifies the files based on 
their purpose and places them under different sub-direc- 
tories under “/” directory, the most well-known subdirecto- 
ries being: /bin (user binaries); /sbin (system binaries); 
/etc (customized configuration files); /dev (device files); 
/proc (Active process information); /var (system Logs); 
/tmp (temporary files); /opt (optional programs); /1ib 
(system libraries). 
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From the security point of view, we need to look into the system logs for suspi- 
cious events similar to 


¢ Large number of Authentication failures via sshd, telnetd...etc 

e¢ Large number of RPC program logs showing with additional ascii codes 

¢ Large number “Error” logs for — web servers, file servers...etc 

¢ Unexpected application restarts or System Reboots, with truncated or disap- 
peared system logs. 


Every Unix variant has a security level in its kernel; the higher it is, the more se- 
cure the system is. Be aware that having a higher security level might cause per- 
formance degradation in the long-term. For example, in Linux, if you change the 
attribute of /var/log/auth.log to append mode as given below, then the intruder 
getting root privileges can't delete his root until he exclusively unsets the attribute. 
Here is a quick example to set attribute to auth.log: 


# chattr ta auth.log GEEKED AT BIRTH 


oo or 


Unix Software Management and Patches 

Almost all the Unix variants maintain their software components in the form of packag- 
es. Apackage is a collection of files and directories grouped together as per the System 
V interface definition. Once a package is developed and released for the installation, if 
there is any known potential problem found from the package, then the operating sys- 
tem vendor has to develop and release a fix, called a patch, for the problem. Sometimes 
patches are also used to provide a new feature or enhancement to a particular software 
package. Almost all Unix Variants have their own package and patch manager to per- 
form regular package/patch installation, removal and update operations. For example, 
Linux variants use dpkg, rom and yum. Regular patch management is very important 
for system security because every UNIX Operating System will have some unknown 
built-in security threats that are discovered over time. To run our Unix environment with You can talk the talk. 
the highest level of security, we always have to keep our security patches installed to Can you walk the walk? 
up-to-date versions. Most OS variants will have mailing lists and/or other methods of 
informing users of important security updates. When installing the packages or patch- 
es, one key thing that we should remember is to make sure we are installing the right 
package (including version) and make sure none of the installed packages have been 
modified by an intruder to trick you to install their own packages. So how do we check 
the packages? Simple, just find the checksum for the package/patch, and compare the 
result with the original checksum provided with the original patch/package: 


ITS IN YOUR DNA 


#md5sum samba-patch-x.x.x.rpm.bz2 


67534a24ca89b/]6f5ael9/edl/Jibd/5e samba-patch-x.x.x.rpm.bz2 
One can also check the gpg signature of the program tarball if present: 


S$ gpg --import samba-pubkey.asc 

® gunzip samba-version.tar.gz 

S gpg --verify samba-release.tar.asc 

gpg: Signature made Tue 20 Nov 2007 07:12:04 PM CST using \ 
DSA key ID 6568B7EA 

gpg: Good signature from “Samba Distribution Verification Key \ 


< samba-bugs@samba.org>” 
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Unix Processes and Services/Daemons 

UNIX Process: Any executable program that is running ina 
Unix system, and consuming system resources like CPU/ 
MEM/IO, is called a process. Unix will assign a Unique 
process ID (PID) and Process priority to every process 
during its initiation and will continue to monitor the pro- 
cess using the PID assigned. At any point in time the pro- 
cess will stay in any of the following states: running, wait- 
ing, sleeping and Zombie/Defunct (i.e. a completed child 
process without parent process). The ps command helps 
us to find the current active processes: 


5 pS aux 

USER PID SCPU SMEM VSZ RSS TTY STAT START TIME COMMAND 

timothy 2921/7 0.0 0.0 11916 4560 -pts/21 St 08215 0:00 pine 

roor 29505 0.0 0.0 38196 2728 2 Ss. Mardy 0:00 sshd: can [priv] 

Can 29529 0.0 0.0 38332 1904 7-8 Maroy 0:00 sshd: can@notty 

USER = user owning the process 

PID = process ID of the process 

S6CPU = It is the CPU time used divided by the time the 
process has been running. 

SMEM = ratio of the process’s resident set size to the 
physical memory on the machine 

VSZ = virtual memory usage of entire process 

RSS = resident set size, the non-swapped physical memory 
that a task has used 

TY = controlling tty (terminal) 

TAT = multi-character process state 


TART = starting time or date of the process 


IME = cumulative CPU time 


COMMAND = command with all its arguments 


For security purposes, if you see any process that is un- 
usual or unfamiliar, investigate in more detail using: 


# lsof -p [pid] 


This command shows all files and ports used by the run- 
ning process. Unix services: These are the programs 
that initiate a set of processes to deliver specific operat- 
ing system functionality, for example — print service, net- 
work service, back-up service ...etc. If the Services auto- 
matically start during the system startup and are running 
in the background mode without any user intervention, 
then those services are called system Daemons. To ad- 
dress security risks, we should be disabling any unused 
services that are running on the system and disable any 
related network ports. For example, in Linux you can see 
all the service information using the command: 


#chkconfig -list 
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Unix Configuration in Network Environment 

To configure Unix Systems in an Enterprise Network en- 
vironment we have to deal with several components as 
described below: 


¢ Functional Network Hardware — Ethernet Cards, Net- 
work Links, Network Speed, Network Duplex, etc. 

¢ Functional Network Protocol Configuration — IP Ad- 
dresses, Network Routes, Subnet masks, etc. 

¢ Functional Network Service Configuration — Service 
Specific Configuration Files, e.g. httpd.conf, smb. 
conf, iptables.conf, ftp.conf, sshd.conf, etc. 


Sample Commands from Linux: 


# ifconfig -a to check the current available network in- 
terfaces 

# ethtool -i ethx to check the network link speed and 
duplex settings 

# tcpdump to check the network traffic from the network 
interface 

# netstat -rn to check the network routes available in 
the systems 

# service <servicename> Start|stop to stop or start the 
network service 


You can refer to my article — Linux Networking Trouble- 
shooting (http:/gurkulindia.com/main/2012/1 1/redhat-enter- 
prise-linux-networking-troubleshooting-quick-reference/) _ if 
you want to know how to use these commands in real time. 
For general security, we should also occasionally: 


¢ look for unusual port listeners: # netstat -nap 

¢ get more details about running processes listening on 
ports: # lsof -i 

¢ look for unusual ARP entries, mapping IP addresses to 
MAC addresses that aren't correct for the LAN: # arp -a 


That’s It. Now you know the overall functioning of Unix, 
and if you want expertise in any area, you can directly 
jump to that part and fine tune your understanding about 
that specific concept. 


RAMKUMAR RAMADEVU 


Ramkumar Ramadevu, is a well known author at unix- 


adminschool.com who regularly writes about enter- 
prise UNIX administration articles. Refer to his Unix Ad- 
ministration Bookshelf (http://unixadminschool.com/ 
bookshelf/unixshelf.htm) 
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Introduction to Unix 


Kernel 


It is usually a source of wonderment to PC users that the 
whole of the Unix operating system is in one executable. 
Instead of a hodge-podge of DLL's, drivers, and various 
occasionally-cooperating executables, everything is done 
by the Unix kernel. When Unix was first introduced, the 
operating system was described as having a‘shell’ or user 
interface, which surrounded a‘kernel’ which interpreted the 
commands passed to it from the shell. 


What you will learn... 
« The Unix kernel functions 
¢ How to improve Unix kernel processes 


ith the passage of time and the advent of graphi- 
VV cal window systems on Apollo and Sun comput- 

ers In 1983, this model became a bit strained at 
the edges. However, it still provides a useful mental image 
of the system, and window systems can be thought of as 
a ‘candy coat’ around the shell. In fact, it isn’t just X-win- 
dows, which has a direct path to the kernel, since TCP/IP 
also falls into this category. 

The following is not intended to be an exhaustive trea- 
tise on the inner workings of the Unix kernel, nor is it 
specific to any particular brand of Unix. It is essential to 
broadly understand certain important functions of the ker- 
nel before we can take advantage of some of its features 
and improve the way in which it handles our processes. 
The Unix kernel possesses the following functions, much 
of which is of interest to us, in pursuit of this goal: 


System calls 
All of the most basic operating system commands are per- 
formed directly by the kernel. These include: 


* open() 
* #elosed 
° dup() 
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What you should know... 


¢« Unix basics 


e read() 


° write() 


e Een dL) 
’ w2ocr li) 
* .ftork() 
* @exec() 
* kL 


Since the above commands are executed by the ker- 
nel, the ‘C’ compiler doesn’t need to generate any actu- 
al machine code to perform the function. It merely plac- 
es a ‘hook’ in the executable, which instructs the kernel 
where to find the function. Modern third party compilers, 
however, are ported to a variety of operating systems, 
and will generate machine code for a dummy function, 
which itself contains the ‘hook’. 


Process scheduling and control 
The kernel determines which processes will run, when and 
for how long. We will examine this mechanism in detail later. 


Networking 


That which became networking was originally designed 
so that processes could communicate. It is this ability 
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to pass information quickly and efficiently from one run- 
ning process to another that makes the Unix operating 
system uniquely capable of multidimensional operation. 
All of the most important communication commands are 
system calls. 


socket() 


connect () 
band) 


listen() 


accept () 


send() 


recv() 


Device drivers for all supported hardware 
devices 

Unlike other operating systems, where device drivers are 
separate programs individually loaded into memory, the 
Unix kernel inherently contains all of the machine's driv- 
ers. Contrary to what may be supposed, the entries in the 
/dev directory are not drivers, but rather are just access 
points into the appropriate kernel routine. We will not con- 
cern ourselves unduly with the Unix device drivers, as 
they are outside the scope of this article. 


Anatomy of a process 
Single-threaded: 


Figure 1. Anatomy of the process — single-threaded 


Multi-threaded: 


Figure 2. Anatomy of the process — multi-threaded 


When an executable is invoked, the following events oc- 
cur, though not necessarily in this order. 
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Process Loading 
The loader 


¢ Fetches the executable file from the disk 

¢ Allocates memory for all of the global variables and 
data structures (‘the data segment’) and loads the 
variables into that area of memory. 

¢ Loads the machine code of the executable itself (‘the 
text segment’) into memory. With demand-paged exe- 
cutables this is not strictly the case, as the amount of 
code actually loaded into memory is several 4k pages. 
The remainder is put into the swap area of the disk. 

¢ Searches the header portion of the executable for 
any dynamically-linked libraries or modules. 

¢ Checks to see if these are already loaded and, if not, 
the modules are loaded into memory. Otherwise, 
their base addresses are noted. 

¢ Makes available the base addresses of dynamically- 
linked modules/libraries to the process. 

¢ Allocates an area of memory for the stack. If the pro- 
cess is multi-threaded, a separate stack area is allo- 
cated for each thread. 


The kernel 


¢ Sets the program counter to the first byte of execut- 
able code. 

¢ Allocates a slot in the process table to the new process. 

¢ Allocates a process ID to the new process. 

¢ Allocates table space for any file descriptors. 

¢ Allocates table space for any interrupts. 

¢ Sets the ‘ready to run’ flag of the process. 


All of the above resources, allocated to a given process, 
constitute the ‘context’ of a process. Each time the ker- 
nel activates a new process, it performs a context switch 
by replacing the resources of the previously running 
process with those of the current one. At this point, the 
scheduling algorithm takes over. 


The Process Scheduling algorithm 
While a process is running, it runs in one of two modes: 


Kernel mode 

All system calls are executed by the kernel and not by 
machine code within the process. Kernel mode has one 
very desirable characteristic, and that is the fact that 
system calls are atomic and hence, cannot be interrupt- 
ed. One of the most important factors in writing code for 
high-performance applications, is to ensure that your 
process executes as much in kernel mode as possible. 
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This way you can guarantee the maximum CPU time for 
a given operation. 

Kernel threads, such as pthreads, run in kernel mode. 
It is sometimes worth using a thread, even when doing so 
doesn't constitute parallel operation, purely to get the ad- 
vantage of running in kernel mode. If an interrupt occurs, 
while in this mode, the kernel will log the signal in the in- 
terrupt table, and examine it after the execution of the cur- 
rent system call. Only then will the signal be actioned. 


User mode 

The ordinary machine code, which makes up much of 
the executable, runs in user mode. There are no spe- 
cial privileges associated with user mode, and interrupts 
are handled as they arrive. It may be seen that, during 
the time that a process runs, it is constantly switching 
between kernel mode and user mode. Since the mode 
switch occurs within the same process context, it is nota 
computational burden. 


Scheduling 
A Unix process has one of the following states: 


¢ Sleep 

e Run 

e Ready to Run 
¢ Terminated 


The scheduling algorithm is a finite-state machine, which 
moves the status of the process between states, depend- 
ing on certain conditions. Basically, what happens is this. 
A process begins to execute. It runs until it needs to per- 
form |/O, then, having initiated the I/O, puts itself to sleep. 
At this point, the kernel examines the next process table 
slot and, if the process is ready to run, it enables its exe- 
cution. If a process never performs I/O, such as process- 
es which perform long series of floating point calculations, 
the kernel permits it to only run for a fixed time period, of 
between 20 and 50 milliseconds, before pre-empting it, 
and enabling the next eligible process. 

When the time comes for a process to run, an addition- 
al algorithm determines the priority of one process over 
another. The system clock sends the kernel an interrupt 
once per second, and it is at this time that the kernel cal- 
culates the priorities of each process. Leaving aside the 
user-level priority weighting, determined by ‘nice’ the ker- 
nel determines priority based on several parameters, of 
which the following are significant: 


¢ How much CPU time the process has previously used 
¢ Whether it is waking up from an I/O wait or not 
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¢ Whether it is changing from kernel mode to user 
mode or not 


Swapping and Paging 
Of course, the execution of a process is never that straight- 
forward. Only a portion of the code is loaded into memory, 
meaning that it can only run until another page needs to 
be fetched from the disk. When this occurs the process 
generates a ‘page fault, which causes the pager to go 
and fetch the appropriate page. A similar situation occurs 
when a branch instruction is executed, which takes the 
execution point to a page other than those stored in mem- 
ory. The paging mechanism is fairly intelligent and con- 
tains algorithms similar to those found in CPU machine in- 
struction pipeline controllers and tries to anticipate branch 
instructions and pre-fetch the anticipated page, more or 
less successfully, depending on the code structure. 
Although there are certain similarities, paging, which is 
a natural result of process execution, should not be con- 
fused with swapping. If the number of processes grows 
to the extent that all available memory becomes used up, 
the addition of another process will trigger the swapper 
and cause it to take a complete process out of memory, 
and place it in the swap area of the disk. This is, com- 
putationally, an extremely expensive operation. The en- 
tire process, together with its context, has to be written to 
disk, then, when it is permitted once again to run, another 
process must be swapped out to make space for it to be 
reloaded into memory. 


So, what does all of this have to do with 
Performance? 

It may be seen from the above that processes, which are 
designed for performance-critical applications, should 
avoid doing physical I/O until it is absolutely necessary 
in order to maximize the amount of contiguous CPU time. 
If it is at all possible, all of the I/O operations should be 
saved up until all other processing has completed and 
then be performed in one operation, preferably, by a sep- 
arate thread. 

As far as threads are concerned, let us consider what 
happens, when we launch a number of threads, to per- 
form some tasks in parallel. First, the threads are each al- 
located a separate stack, but are not allocated a separate 
process table slot. This means that, although there are 
several tasks executing in parallel, this only occurs dur- 
ing the active time of that slot. When the kernel preempts 
the process, execution stops. Multi-threading will not give 
your application any more system resources. Further, if 
we consider a situation where we have 100 processes 
running on a machine and one of them is ours, then we 
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would expect to use 1% of the CPU time. However, if 25 
of them are ours, we would be eligible to use 25% of the 
CPU time. 

Thus, if an application can split itself into several pro- 
cesses, running concurrently, then, quite apart from the 
obvious advantages of parallelism, we will capture more 
of the machine’s resources simply because each child 
process occupies a separate process table slot. This al- 
so helps when the kernel assigns priorities to processes. 
Even though we may be penalized for using a lot of CPU 
time, the priority of each process is rated against that of 
other processes. If many of these belong to one applica- 
tion, then even though the kernel may decide to give one 
process priority over another, the application, as a whole, 
will still get more CPU time. 

Additionally, if we are running on a multi-processor ma- 
chine, then we can almost guarantee to be given a sepa- 
rate CPU for each child process. The kernel may juggle 
these processes over different CPU's, as a part of its load- 
balancing operations, but each child will still have tts own 
processor. The incorporation of the above techniques into 
our software architecture forms the cornerstone of multi- 
dimensional programming. 


Process Scheduling, in Summary 


¢ Each child process gets a CPU different to that used 
by the parent. 

¢ The more processes contribute to the running of your 
application, the more CPU time it will get. 

¢ Multi-threading creates multiple execution paths with- 
in one process table slot. It may permit parallel exe- 
cution paths, but it will not get the application more 
CPU time, or a new CPU. 


Therefore: 


¢ Find parallelism within your application. This will 
make your software run more efficiently. 

¢ Employ multi-threading where it is not possible to fork 
a separate process, or where you need to refer to 
global information, as in the parent process. 

¢ Having decided how the children will communicate 
the data back to the parent, launch a separate child 
process for every possible parallel function, to gain 
the maximum CPU time. 


System calls 

fork() 

Under pre-Unix operating systems, starting a process 
from within another process was traditionally performed 
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as a single operation. One command magically placed 
the executable into memory, and handed over control and 
ownership to the operating system, which made the new 
process run. Unix doesn't do that. 

Each process has a hierarchical relationship, with its 
parent, which is the process which brought it to life, and 
with its child or children which, in turn, are processes 
which it, itself, started. All such related processes are 
part Of a process group. If a kil1() signal is sent to the 
parent of the process group, it will propagate to the child 
processes. Unix also has the concept of a ‘session’ 
which, essentially, can be thought of as comprising all 
of the process groups associated with a login, or TCP/ 
IP connection. 

The basic mechanism that initiates the birth of a new 
process iS fork(). The fork () system call makes a run- 
ning copy of the process which called it. All memory ad- 
dresses are re-mapped, and all open file descriptors 
remain open. Also, file pointers maintain the same file po- 
sition in the child as they do in the parent. Consider the 
following code fragment: 


pid. t pid; 


switch((pid = fork()) { 
case -l: 
printf (“fork failed\n”); 
break; 
case 0: 
printf (“Child process running\n”); 
some: Child. tunction(}; 
break; 
default: 
printf (“Parent process executes this code\n”); 
break; 


} 


At the time that the fork() system call is called there is 
only one process in existence, that of the expectant par- 
ent. The local variable pid is on the stack, probably un- 
initialised. The system call is executed and, now, there 
are two identical running processes both executing the 
same code. The parent and the new child process both 
simultaneously check the variable pid, on the stack. 
The child finds that the value is zero and knows, from 
this, that it is the child. It then executes some child | 
function() and continues on a separate execution path. 
The parent does not see zero, so it executes the ‘de- 
fault’ part of the switch () statement. It sees the process 
ID of the new child process, and drops through the bot- 
tom of the switch (). Please note that if we do not call 
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a different function in the case 0: section of the switch, 
both parent and child will continue to execute the same 
code, since the child will also drop through the bottom of 
the switch(). 

Programmers who know little about Unix will have a 
piece of folklore rattling around in their heads which says 
‘a fork() IS expensive. You have to copy an entire process 
in memory, which is slow, if the process is large’. This is 
true, as far as it goes. There is a memory-to-memory copy 
of that part of the parent, which is resident in memory, so 
you may have to wait a few milliseconds. However, we are 
not concerned with trivial processes whose total run time 
is affected by those few milliseconds. We are dealing ex- 
clusively with processes whose run times are measured 
in hours, SO we consider a one-time penalty of a few mil- 
liseconds to be insignificant. 

When a parent forks a child process on a multi-processor 
machine, the Unix kernel places the child process onto its 
own separate CPU. If the parent forks twelve children on 
a twelve CPU machine, each child will run on one of the 
twelve CPU's. In an attempt to perform load-balancing, the 
kernel will shuffle the processes around the CPU's, but, ba- 
sically, they will remain on separate processors. 

The fork() system call is one of the most useful tools, for 
the full utilisation of a multi-processor machine’s resources, 
and it should be used whenever one or more functions are 
called, which can proceed their tasks in parallel. Not only 
is the total run time reduced to that of the longest-running 
function, but each function will execute on its own CPU. 


vfork() 

There is a BSD variant of fork(), which was designed 
to reduce the memory usage overhead associated with 
copying, possibly, a huge process in memory. The seman- 
tics of vfork() are exactly the same as those of fork (), but 
the operation is slightly different. vfork () only copies the 
page of the calling process which is currently in memory, 
but, due to a bug (or feature), permits the two processes 
to share the same stack. As a result, if the child makes 
any changes to variables local to the function which called 
vfork(), the changes will be visible to the parent. Knowl- 
edge of this fact has enabled experienced programmers 
to make use of the advantages of vforxk (), while avoiding 
the pitfalls. However, far more subtle bugs also exist, and 
most Unix vendors recommend that vfork() only be used, 
if it is immediately followed by an exec (). 


exec() 

The original thinking behind fork (), was that its primary 
use would be to create new processes, not just copies 
of the parent process. The exec () system call achieves 
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this by overlaying the memory image of the calling pro- 
cess with the new process. There is a very good reason 
for separating fork() and exec(), rather than having the 
equivalent of VMS’s spawn () function, which combines the 
two. That reason is because it is sometimes necessary, 
or convenient, to perform some operations in between 
fork() and exec(). For example, it may be necessary to 
run the child process as a different user, like root, or to 
change directory, or both. There is, in fact, no such call 
as exec(), but there are two main variants, exec1() and 
execv(). The semantics of exec1() are as follows: 
execl (char “path, char *arg0, char *arglichar “argn, (char 
7) UND) 


execy (char “path, char *arg0, char ““argv) 


It may be seen, that the principal difference between the 
two variants, is that, whereas the exec1() family takes a 
path, followed by separate arguments, in a NULL termi- 
nated, comma-separated list, the execv() variants take a 
path, and a vector, similar to the argv[] vector, passed to 
amain() function. 

The first variant Of execl() and execv(), adds an envi- 
ronment vector to the end of the argument list: 
execle(char “path, char *arg0, ..cChar *argn,. (char *) 
NULL, char **envp) 


execve (char *path, char *arg0, char **argv, char **envp) 


The second variant replaces the ‘path’ argument, with a 
‘file’ argument. If this latter contains a slash, it is used as 
a path. Otherwise, the PATH environment variable of the 
calling process is used to find the file. 

execlp (char “fle; char *“arg0, «.char “argn, (char *~) NULL, 


char **envp) 


execvp(char *file, char *arg0, char **argv, char **envp) 


We can now combine fork() and exec() to execute lpr 
from the parent process in order to print a file: 


pid < pid; 
switch((pid = fork()) { 
case 1: 
printf (“fork failed\n”); 
break; 
case 0: 
printr ("Child process running \n" ) >? 
execlL(/ter/icoy lpr”, “lpr”, “7 tmp nie, (char 
*) NULL)? 


break; 
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default: 
printf (“Parent process has executed lpr to 
print a file\n”); 
break; 


} 


The above code only has one problem. If the parent pro- 
cess quits, the child process will become an orphan and 
be adopted by the ‘init’ process. When lpr has run to 
completion, it will become a zombie process and waste 
a slot in the process table. The same happens if the 
child prematurely exits, due to some fault. 

There are two solutions to this problem. We execute 
one of the wait () family of system calls. A waited-for child 
does not become a zombie, but the parent must suspend 
processing, until the child terminates, which may or may 
not be a disadvantage. There are options which allow pro- 
cessing to continue during the wait, but the parent needs 
to poll waitpia(), which makes our second solution, de- 
scribed below, a much better option. 

lf we are waiting for a specific process, the most conve- 
nient call is to waitpid(). The synopsis of this call is: 
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pid & waitpid (pid) t pad; int. “status, 1c Options); 


The call to waitpia() returns the process ID of the child 
for which we are waiting, whose process ID is passed in 
as the first argument, ‘pid’. The second argument, ‘sta- 
tus’, is the returned child process exit status and ‘options’ 
is the bitwise-OR of the following flags: 

WNOHANG: prevents waitpid() from causing the par- 
ent process to hang, if there is no immediate return. 

WNOWAIT: keeps the process, whose status is returned, 
in a waitable state, so that it may be waited for again. 

The options flags are of no use to us, so we set them 
to zero. The status word, however, provides useful infor- 
mation on how our child terminated, and can be decoded 
with the macros, as described in the man page for ‘wstat’. 


Pid. pid; 


int status; 
switch((pid = fork()) { 


case -l: 


printf (“fork failed\n”); 
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break; 
case 0: 
printt (“Child process running \n”); 
exec: (/usr/uch/ lpr”; “lor”; “/tmp/nle”; (char 
*) NULL) 
break; 
default: 
printf (“Parent process has executed lpr to 
print a file\n”); 
if(waitpid(pid, &status, 0) == pid) { 


printf (“lpr has now finished\n”) ; 


break; 


} 


lf we don't wish to poll waitpia() repeatedly, but need 
to do other processing while the child process goes 
about its business, then we need to effectively disown 
the child process. As soon as the child has successfully 
forked, we must disassociate it from the process group 
of the parent. 

Process groups and sessions are discussed at the be- 
ginning of the fork) section but, to save you the trouble of 
looking, a process group is headed by the parent process 
whose process ID becomes the group's process group ID. 
All children of the parent then share this process group 
ID. The disowning of a child process is accomplished by 
executing the system call setpgrp(), OF setsid(), (both of 
which have the same functionality) as soon as the child is 
forked. These calls create a new process session group, 
make the child process the session leader, and set the 
process group ID to the process ID of the child. The com- 
plete code is as below: 


pla Tt pid; 


Switch((pid = fork()) { 
case — 1: 
Print?e ("fork farled\n” }> 
break; 
case 0: 
if(setpgrp() == -1){ 
Orintt ("Can't set pare \n")> 
} 
printf (“Independent child process running\n”); 
exec (“/usr/uco/ lpr”, “lpr”, */imp/nle”,.. (char 
x) NU GIL) 3 
break; 
default: 
printf (“Parent process has executed lpr to 


print a file\n”); 
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break; 


} 


open() close() dup() read() write() 

These system calls are primarily concerned with files but, 
since Unix treats almost everything as a file, most of them 
can be used on any byte-orientated device, including 
sockets and pipes. 


int open(char “file, int how, int mode) 

open() returns a file descriptor to a file, which it opens 
for reading, writing or both. The ‘file’ argument is the file 
name, with or without a path, while ‘how’ is the bitwise-OR 
of some of the following flags defined in fentl.h: 


O_RDONLY Read only 
O_WRONLY _ Write only 

O RDWR_ Read/write 
O_TRUNC Truncate on opening 
O CREAT Create if non-existent 


The ‘mode’ argument is optional and defines the permis- 
sions on the file, using the same flags as chmod. 


Int close(int fd) 
Closes the file, which was originally opened with the file 
descriptor fd. 


Int dup(int fd) 

Returns a file descriptor, which is identical to what passed 
in as an argument, but with a different number. This call 
seems fairly useless at first glance, but, in fact, it permits 
some powerful operations like bi-directional pipes, where 
we need a pipe descriptor to become a standard input 
or output. Also, client-server systems need to listen for 
incoming connections on a fixed socket descriptor while 
handling existing connections on different descriptors. 
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OpenBSD 5.4 


as a Transparent HTTP/HTTPS Proxy 


In this article, we are going to build a firewall using OpenBSD 5.4 
embedded with a transparent proxy that disallows some URLs as 
as a blacklist. It is not helpful to install squid for that. Relayd did 
the trick with the following bonus: HTTPs inspection! 


What you will learn... 
« How to configure Relayd for URL Blocking with https inspection 
« How to use and understand Packet Filter 


C onsidering the network on Figure 1. To begin, 
please read the following man pages: PF.CONF(5), 
PFCTL(8), RELAYD.CONF(5), RELAYCTL(8), 
and SSL(8). It is essential to have network cards (/etc/ 


hostname. xxx), gateway (/etc/mygate), and DNS resolver 
(/etc/resolv.con£) configured before starting this How-To. 


What do we want to achieve? 
Block «File Hosting» websites like 1fichier.com, uptobox. 
com, mega.co.nz ... 

All the urls we want to block are located in a file /etc/ 
filehosting, aS a blacklist. 

Here is a sample for the file /etc/filehosting: 


mega.co.nz/ 
uploaded.net/ 


uptobox.com/ 


Group lan 
10.100.1.1/24 


em7 


[> 
i> | 
> _domain IN (UDP) > 


10.100.1.0/24 


Figure 1. A network diagram 
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Open&Sod 5.4 Gateway 
relayd listen on ports : 


What you should know... 
« Unix commands 

« The basics of TCP/IP 

« Configure OpenBSD network 


Enable IPv4 Routing 
sysctl net.inet.ip.forwarding=1 
In order to keep this setting at reboot enter the following: 
echo “net.inet.ip.forwarding=1 » >> /etc/sysctl.conf 
Interface Group 
By default «emo» is part of egress group, and it is the inter- 
face connected to the Internet. 

At this point we want to add em/1 to the lan group, so we 
do the following: 


/sbin/ifconfig eml group lan 


And to keep this setting at reboot: 


OUT All 


Group egress 
192.168.5.4/24 


em0 INTERNET 


modem-router 
192.768.5.100/24 
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echo “!/sbin/ifconfig eml group lan” >> /etc/hostname.eml 


Packet Filtering 
As it shows in the network diagram, we want to allow our 
workstations to use only www, https and domain resolu- 
tion (Bonus: ping ;-). 

By default, PF is enabled and here is the /etc/pf.conf 
ruleset: 


# We declare bad hosts (some RFC like 1918...) 
mydns={8.8.8.8, 8.8.4.4} 

martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 
1020202078, \ 
169 ..254,0 20/16, 192.022.0724, -020.0.078,-240.0.0.0724 
\n 


# We don’t need to load fingerprints 


set fingerprints “/dev/null” 


# No filters on loopback 


set skip on lo 
# NAT 
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match out on egress inet from lan:network to any nat-to 


egress 


# Normalize packets 


match in all scrub (no-df max-mss 1440) 


# Policy: we block all and log 
block Log all 
# Protection antispoof 


antispoof for {egress,lan} 


mayan FreeBSD 
# We deny bad hosts by onating Ke 
ee He Shak antes Ree baeeee The FreeBSD 


pass out on egress ° 

# Redirect www traffic from our lan to relayd on port 8080 Foundation 

pass in quick inet proto tcp from lan:network to any port 
www \ 


divert-to localhost port 8080 


# Redirect https traffic from our lan to relayd on port {) S I N Cp 
8443 Q 
pass in quick inet proto tcp from lan:network to any port s. 
https \ fe 
divert-to localhost port 8443 <a , 
# We allow our network to use Google DNS resolution ‘ 
pass in on lan inet proto udp from lan:network to Smydns = 
port domain > 
# We allow pings 
pass in on lan inet proto icmp from lan:network to any e.. EARS lo find out more, 
icmp-type echoreg 7 Y please visit 
77 iad our Web site: 


§ 
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Load PF ruleset: 
(Soan/ pict) vt fecc/ot cont 


Relayd: url filtering for http/https 
Create CA key and Certificate: 


openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ 


ssl/private/ca.key -out /etc/ssl/ca.crt 


| chose «testing relayd» aS a password. You will need 
it in the relayd.conf file, and the «ca.crt» needs to be in- 
stalled on all the computers on the network (lan). 

Create an SSL server key and certificate for 127.0.0.1: 


openssl genrsa -out /etc/ssl/private/127.0.0.1.key 2048 
Generate a Certificate Signing Request (CSR): 


openssl req -new -key /etc/ssl/private/127.0.0.1.key \ 
—out. /etc/ssi/privatée/127.0.,0.1i.csr 


Sign the key yourself: 


openssl x509 -sha256 -req -days 365 \ 
=i: Pete; ssl/orivate/ 127.0.0,1..6sr 
-signkey /etc/ssl/private/127.0.0.1.key \ 
=out /eto/ss6lj127.0«0.1sert 


The /etc/relayd.conf should say: 


http protocol “no ssl” { 
LSLUrn error 
label “File Hosting Websites is banned !” 


request url filter file “/etc/filehosting” 


http protocol. “with ssl”. 4 
Leturn error 
label “File Hosting Websites are banned !” 
request url filter file “/etc/filehosting” 
ssl ca key “/etc/ssl/private/ca.key” password “testing_ 
relayd” 


ssi.-ca cert “/etc/ssl/ca.cre” 


relay “no ssl proxy” |{ 
listen on 127.0.0.1 port 8080 
protocol “no ssl” 


forward to destination 
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relay “with ssl proxy” { 
listen on 12730.0.1. port- 3443 ssl 
protocol “with. esl” 
forward with ssl to destination 


Start relayd: 


echo relayd flags= >> /etc/rce.conf.local 
/etc/rc.d/relayd start 


Load Relayd configuration: 


/usr/sbin/relayctl load /etc/relayd.conf 


Verify that relayd listen on 8080 and 8443: 


/usr/bin/netstat -anf inet | grep 127.0.0.1.8 # This 
will give the following: 

tep 0 QO 127.0.0.1.8443 re LISTEN 

tcp 0 0: 127 .05041.8080 ae LISTEN 


Test the url filtering on a workstation using the Chrome 
browser. To have a nicer Forbidden page, you can 
change the «label» value IN /etc/relayd.conf to: 


@ 403 Forbidden 
€& - 


C  @ https://mega.co.nz 


Forbidden 


rejecting request 


OpenBSD relayd at 127.0.0.1 port 8443 


Figure 2. A sample forbidden page 


label “<img src='http://www.openbsd.org/art/puffy/ 
putlogvl00X65.gif" />” 
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LET’S TALK 


GhostBSD: A User- 
friendly, Light-weight 


BSD Alternative 


GhostBSD is an open source desktop operating system 
based on FreeBSD which aims for a secure, user-friendly 
experience out of the box. GhostBSD comes with most 
common software choices already configured, giving the 
user a solid BSD installation out of the box. 


s a long time BSD user, my search for a distribu- 
A« has spanned the course of over 15 years. 

| started to use FreeBSD back in 1997 or 1998 
when version 2.2 came out. Getting FreeBSD running on 
a computer or server was a work intensive experience 
that involved a lot of fine tuning and time with my nose in 
a manual. | remember expending hours and hours in front 
of my computer to get everything working, but at the end 
it was something awesome. 

As FreeBSD didn’t have good options for Desktop envi- 
ronments, with the coming years | started to use Windows 
and Linux. They both worked great and were very impres- 
sive to see on a desktop system. Windows offered a lot 
of functionality out of the box, but had stability issues and 
was a relatively bloated operating system. Linux also had 
their own system stability issues early on, but the desk- 
top environment options were nice. Stability has improved 
greatly over the years, but due to the decentralized na- 
ture of those distributions, they tend not to be as cohesive 
and stable as FreeBSD operating systems and require the 
Same amount of work in most cases. 

When gnome came out for FreeBSD, it started to 
make the idea of a nice desktop installation possible. 
| remember using Gnome 1.4 for some time and then 
jumping to the famous Gnome 2. At that time, it still took 
a lot of work to get the desktop environments up and 
running. Nonetheless, this development made me fall 
“in love” with FreeBSD as it worked better for my needs 
than anything else. Fast forward to FreeBSD 9.2 and | 
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still consider it to be the best distribution for the server 
and desktop environment support has been improving 
ever since. 

Still, FreeBSD offered difficulties, as FreeBSD is tailored 
to the server environment, so getting set-up in a desktop 
environment can require a lot of command line work just 
to get all the services running properly. A friend of mine 
then introduced to me to PC-BSD, a desktop oriented op- 
erating system based on FreeBSD, which became my so- 
lution for some months. PC-BSD works very well and is 
great for beginners, but it is still a “heavy” system and 
you still have to use the command line to use ports. Their 
App Cafe is great for beginners who just want to have it 
running and do not have any knowledge about what is 
happening, but for advanced users it is less than ideal be- 
cause it runs more slowly than straight FreeBSD. It also 
is getting to the point where it is difficult to run on older 
hardware. Another issue is that if you decide to use ports, 
you run the risk of App Cafe applications breaking, which 
happened to me on more than one occasion. 

This year | also started to use the FreeBSD forums and 
meet a lot of very nice and helpful people who post there, 
which led me to meet Eric Turgeon. | continued to jump 
from FreeBSD to PC-BSD and vice versa until | heard Er- 
ic talk about GhostBSD. | refused to even take a look till 
Gnome 2.2 started to give me a lot of problems and Free- 
BSD does not port to Gnome 3, as the underlying archi- 
tecture is not supported. Combined with Gnome 2.2 no 
longer being supported, more problems arose. 
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GhostBSD: A User-friendly, light-weight BSD Alternative 


From there, | found that the Mate desktop environment 
was the project fork for Gnome 2 and it worked very well 
at first sight and remembered that GhostBSD already 
comes with Mate support. So, | downloaded GhostBSD 
3.5-BETA1 and all the coming versions, testing it a lot. 
| was pleasantly surprised at how everything | needed 
just worked. In fact, GhostBSD worked so well that | got 
in contact with Eric and he invited me to become part of 
the project. 


GhostBSD: The right fit for the desktop 

lf you want to use FreeBSD on the Desktop, GhostB- 
SD is a very strong solution. | recommend it for begin- 
ners, normal and advanced users. The GhostBSD in- 
staller makes installation a breeze and it has his own 
application manager which works well with ports without 
any problem. Installing with packages is another option, 
but if | have the time, installing via ports is my preferred 
method as all proper dependencies are installed along 
with the applications. 

GhostBSD also comes with a variety of windows man- 
agers to choose from. My preference being Mate as it 
offers a lot of functionality and runs well even on older 
equipment, but Gnome, XFCE, LXDE, and Openbox are 
good options as well. GhostBSD pre-configures the most 
common software choices users prefer for FreeBSD, fine- 
tuning for optimal performance. This allows users to avoid 
the process of extensive configuration, building and com- 
piling their own FreeBSD system. GhostBSD is config- 
ured for low resource consumption and stability, while not 
limiting the user’s customization options normally found in 
FreeBSD. Also, all of the tutorials, advice, and online con- 
tent applicable to FreeBSD apply to our distribution. 

While GhostBSD is still early in its development, it 
takes advantage of many of the features already found 
in FreeBSD. GhostBSD comes with video card and Wi- 
Fi support out of the box, which can be a big headache 
for inexperienced users. It also supports FreeBSD next 
generation package management system, Apache Open 
Office, Libre Office, LibreCAD, Eclipse/Anjuta develop- 
ment environments and much more. As the project ma- 
tures and expands it will continue to add features while 
meeting its primary goals of security and useability in a 
lightweight installation. 


Getting GhostBSD 

To try out GhostBSD for yourself, you will first need to en- 
ter the GhostBSD web site at http://ghostbsd.org and go 
to the download section. From there, just choose the op- 
tion you want from the provided list. There are options for 
i386 and 64bit, USB or disc images, and default desktop 
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environments. After downloading to your preferred media, 
make sure you have your boot priorities set up correctly 
in BIOS and then start up your system. The graphic inter- 
face will then load and you will need to click on the icon to 
install GhostBSD. 

The installation GUI will ask you to choose the parti- 
tion to install, whether to use the GhostBSD boot loader 
(so when the system starts you can choose what sys- 
tem do you want to run), as well as other basic options 
like root and user password. After you finish the series 
of questions, installation begins and it’s just a matter of 
time to finish, usually 10 or 20 minutes. When installa- 
tion is over it will ask you to reboot. Make sure to remove 
your boot media when rebooting, and you have just in- 
stalled GhostBSD. 


Post-Installation 

Once GhostBSD starts, just log in and you will see why 
GhostBSD is very powerful as a desktop. Load times are 
very fast, which is immediately noticeable when you click 
on an icon or on any application you want to run. Speak- 
ing of applications, popular common programs like Libre 
Office, Firefox, Brasero and others come pre-installed so 
you can get to work right away. GhostBSD also comes 
with a wi-fi manager that is very intuitive. Just open it 
and you will see all the connections inside your wireless 
range. Simply choose what you want to use and you will 
see all the options for it. While many of these options are 
also available in PC-BSD, you can test for yourself to see 
that GhostBSD is faster due to its design. 

In addition, GhostBSD comes with a very helpful pack- 
age manager. Just select it from the drop down menu, and 
then select update from the list and you can choose what- 
ever you wish to install from the list and it will download 
and install it for you automatically. Also if you like to use 
ports like me, you can do it with no fear. You won't “break 
it", just download and update the port list and use it like 
you would do in a FreeBSD system. GhostBSD also pro- 
vides community support on the Forum around the clock, 
since our team is from several different time zones. 

To conclude, GhostBSD offers a secure, stable light- 
weight BSD installation with a full set of utilities pre-con- 
figured so you can hit the ground running. If you are a 
new or advanced user, GhostBSD takes away the has- 
sle of configuration while providing all the powerful tools 
of a FreeBSD system. With its lightweight, full featured 
Desktop Environment options, GhostBSD offers you a 
powerful solution regardless of skill level or top of the 
line hardware. 


ADRIAN J. PANUNZIO 
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How Secure Can Secure 


Shell (SSH) be? 


(One Time Password aka OTP) 


This article is the second part of the OpenSSH and 
demonstrates configurations as well as tricks that make 


using the protocol more secure. 


What you will learn... 

- How to configure OTP for your needs. 

- A good base to make up something new and secure on your 
own. 


word (OTP). We are going to achieve our already 

secure SSH in conjunction with OTP for remote 
system connections. At first, in algorithmic meaning, OTP 
is a character string which should never repeat. However, 
“never” is a notion near infinity that never achieves it. Sec- 
ondly, OTP has a discrete form of existing. The lifetime is 
finite and stands unchanged for seconds, minutes, possi- 
bly months or years. 

Imagine you have a system which generates a new 
character string every minute, and let's name it as our 
OTP. The exemplary system uses 26 characters of an 
alphabetical array [a, b, ..., z| (lower-case letters only) 
and 10 characters of digits [0, 1, ..., 9]. OTP is 16 char- 
acters long and includes characters from the mentioned 
arrays. SO, we can obtain from the example such char- 
acter strings: 


yT o begin, let's concentrate on the One Time Pass- 


rwsyqhz45gtbuwhd 
gbmmx5dilcytqé60in 
t2715m8 6yqkslvb0 


How many different character strings can we generate? 
What is the probability of guessing the correct character 
string? Let’s go back to the math. 

Count of the number of possible characters to use: 
26+10=36 [a, b, ..., z, 0, 1, ..., 9] 


What you should know... 

¢ Unix/Linux commands and SHELL environments. 
« The basics of TCP/IP. 

- Basic configuration of SSH (1st part of the series) 
« Understanding of security is necessary. 


Length of the character string (OTP): 16. Now, step-by-step: 


1) The first character of the string can be randomly se- 
lected as 1 from 36, hence we have 36 options of 
that. 

2) The second character of the string can be random- 
ly selected as 1 from 36 as well, and hence we still 
have 36 options for this character. 

3) The third character of the string can be randomly se- 
lected as 1 from 36 and have 36 options as well. 

16)The last character of the string can be randomly se- 
lected as 1 from 36 and we have 36 options. 


We assume that the characters can be the same and, in 

this particular case, all 16 characters can be the same. 

A combination of all characters in our 16 long string is 

equal (step-by-step). 

1) We have a one character string: 36 different charac- 
ter strings. 

2) We have a two character string: 36 multiply 36 is equal 
to 1296 (36*36=1296) different character strings. 

3) We have a three character string: 36*36*36= 46656 
(36°=46656) different character strings. 


16)We have a sixteen character string: 36'°= 79586 
61109946400884391936 different character strings. 
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Is the number huge? Let’s check. 

We will assume that we change our OTP once every 
minute and the OTP “never” repeats. There are 1440 min- 
utes in one day. There are 365.25 days in one year. 

For how many days shall we have different character 
strings? 

7958661109946400884391936 divided by 1440 is 
equal to 5526847993018333947494.4 days. 

For how many years shall we have different character 
strings? 

5526847993018333947494.4 divided by 365.25 is 
equal to around 15131685128044719911 years. 

Around 15 quintillion years (in short scale) for IT guys, 
it's the same as 15*10" years (15 ExaYears). If you are in- 
terested in learning all the scales, (short and long), look at 
the website en.wikipedia.org/wiki/Long_and_short_scales. 

To compare that number with something similar, know 
that the lifetime of the proton (predicted) is equal to 3*10*° 
seconds, the age of the universe is equal to 5*10'” sec- 
onds, and our number of different OTPs is equal to around 
7.95*10*. The probability of guessing the OTP is 1 to 
195° 10". 

The machine, (computer, especially CPU), can work for 
one minute to find out the OTP. The probability of guess- 
ing the OTP during one minute by the fastest comput- 
er in the world (www.top500.org) with a performance of 
33.86 petaflops per second (33.86*10"° flops/s) is around 
(33.86710" )*60 / 7.95*10% = 2,55*10° (0,000255%). 
Note: it's a very simple comparison and there are many 
searching algorithms which could be used to speed up 
finding out the OTP, but the probability of the worst case 
scenario shows the scale. 

We can argue that our 16 long One Time Password is 
secure enough. If we try to use not a 36 character ar- 
ray, but the ASCII table of characters, we shall have 128"° 
OTPs. Try to compute this and compare with the known 
universe mass equal to 1*10°°! 

Let’s go back to our SSH. We will explore a few meth- 
ods of generating and using an OTP but first, we shall get 
familiar with passwords on Unix systems. 

Both FreeBSD and OpenBSD systems keep pass- 
words in the /etc/master.passwd file and the user pass- 
word is encrypted by one of the algorithms set in the /etc/ 
Login. cont (find string :passwd_ format= in FreeBSD and 
: localcipher= In OpenBSD). 

There are many hash functions that can be used to 
calculate the encrypted password: DES, Blowfish, MD5, 
SHA256, SHA512 etc. By default FreeBSD uses SHA512 
and OpenBSD uses Blowfish with 6 iterations. 

It’s good to know more about the content of the master. 
passwd file which stores the encrypted user’s passwords. 
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The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


@)_ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN I GET CERTIFIED? 


We'’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@)_ WHERE CAN I GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 
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Look at the command below: 


# cat /etc/master.passwd | grep John 
John: S1S4yQeiBgOSAZOv/r0Q4DcxkF5KvcKN8/:1001:0:admin:0:0:J 
ohn Buzz:/home/John:/bin/sh 


Special data is separated by the $ sign and the hashed 
password $1isS4yQeiBqOSAZOv/r0Q4DcxkF5KvcKN8/ IS de- 
scribed below: 


1 means MD5D algorithm. 

4yQeiBqo IS a salt used to make the password more diffi- 
cult to find out. Salt is generated by the first two char- 
acters of the encrypted password. 

AZOv/r0Q4DcxkF5KvcKN8/ Is the encrypted password. 


As previously stated, FreeBSD uses SHA512 by de- 
fault, (which would display the number 6 behind the first 
S sign), but one can change it to MD5 by adding the fol- 
lowing lines to /etc/login.conf. 


admin? \ 


:passwd_ format=mds: 
To apply the above changes, run the following command. 
# cap _mkdb /etc/login.conf 


The same command works for OpenBSD as well. Note: 
the MD5 hash function is worse than SHA512. Worse 
means that it takes less computing to break the hash. 
| only showed as an example, how generating a new 
password should work and how to change the hash 
function. If your system still uses DES, MD5 or other 
weak functions, change it. 

You could come up with the idea to just replace the 
string in the master.passwd file, but it's not as easy as 
coming up with the idea. Let's use third party applications 
to generate our OTP. 

For security and information reasons, try to tinker and 
change some of the following values for a particular user 
or a group in the login.conf file. Are some of them com- 
bined with SSH? Yes: “welcome” for sure. The rest of the 
options should be clear. Default values from my OpenBSD 
and FreeBSD respectively. For more information about the 
login.conf file, look at the command man login.conf. 


default: \ 
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin 
/usr/local/bin /usr/local/sbin: \ 
sumask=022: \ 


:datasize-max=512M: \ 
:datasize-cur=512M: \ 
:maxproc-max=256: \ 
:maxproc-cur=128: \ 
:openfiles-cur=512: \ 
:stacksize-cur=4M: \ 
:localcipher=blowfish, 6: \ 
:ypcipher=old: \ 
:tc=auth-defaults: \ 
:tc=auth-ftp-defaults: 


default: \ 
:passwd_ format=sha512:\ 
:copyright=/etc/COPYRIGHT: \ 
:welcome=/etc/motd: \ 
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K: \ 
:path=/sbin /bin /usr/sbin /usr/bin /usr/games / 

er/ local/sbin /usr/local/bin “;bin: \ 

:nologin=/var/run/nologin: \ 
:cputime=unlimited: \ 
:datasize=unlimited: \ 
:stacksize=unlimited: \ 
:memorylocked=64K: \ 
:memoryuse=unlimited: \ 
:filesize=unlimited: \ 
:coredumpsize=unlimited: \ 
:openfiles=unlimited: \ 
:maxproc=unlimited: \ 
:sbsize=unlimited: \ 
:vmemoryuse=unlimited: \ 
: Swapuse=unlimited: \ 
:pseudoterminals=unlimited: \ 
:priority=0: \ 
:ignoretime@: \ 


‘Uumack=022 * 


FreeBSD and OpenBSD use different applications to 
generate the OTP for us. OpenBSD uses S/Key system 
and FreeBSD uses OPIE. Let’s start for FreeBSD. 


FreeBSD OTP by OPIE (One-Time Passwords in 
Everything) 
There is a seed that consists of two letters, five digits and 
an iteration count. The OTP is created by concatenating a 
secret password with the seed and then applying the hash 
function MD5 as many times as the iteration count states. 
Then the OPIE turns the result into six words as our OTP. 
Let's assume that we are logged in to our system via 
SSH. Here are the step-by-step instructions to run OTP. 
Initialization (please be logged on as a standard user 
not privileged): 


How Secure can Secure Shell (SSH) be? 


# oplepasswd -c Then run opiepasswd without the -c parameter. 


Using MD5 to compute responses. 
And output (system requests for the pass phrase for us- 
er John): 


Enter new secret pass phrase: 

Again new secret pass phrase: 

Adding John: ID. John OTP key 18 499 mo3/26 

Only use this method from the console; NEVER from remote. TACK LOP AN ADEN GIFT BEND 
If you are using 

telnet, xterm, or a dial-in, type *“C now or exit with no 499 - sequence number 


password. mo3726 - seed 


Listing 1. SSH successful connection screenshot 


Using username “John”. 


Access Restricted Equipment 
All Activities are Monitored and Logged 
Unauthorized Use Prohibited 


By Accessing, You Are Agree Your Activities to be Monitored and Logged 


Authenticating with public key “imported-openssh-key” 

Passphrase for key “imported-openssh-key”: 

Further authentication required 

Using keyboard-interactive authentication. 

otp-md5 498 mo37/26 ext 

Password: 

dis bloc a SeMonmNO ve cos O77 Ol acon o7 OS 0 eas 

EreeboD 9. Z2-REMEASE (GENERGC) 40 r2550%e0 Thtinoep 26 22-503 UIC 203 


MATRIX 
984653 VEO 500 786864 727064 374556 263648 TA TSe 345072 428465 
859924 468676 ZOOS 743340 782600 955084 537264 847652 SUL IESG 
5601726 637052 580840 340080 471782 8160764 Te07 Ze 413452 135408 
255081) 676208 SoOZ 6 2806044 SSO Sie 772460 View 3o2 SoCeZZ 671164 
391144 OF G7 G6 106548 460668 142948 559468 ZIs6ce 439140 488332 
296764 TOYZ Ie TSG 420836 657904 404196 276900 956540 SoZ i 
rey reo 734240 Sg9926 597428 580052 930436 609388 XO CHONG, 401492 
806624 694304 211345 644072 554320 TMs TOS6 22 233896 380380 
144508 657488 994344 62336 598468 502344 D207) 299676 448136 


Attempts left: 3. 
Unlock key: 
Terminal unlocked! 


9 
Using username “John”. 
Access Restricted Equipment 
All Activities are Monitored and Logged 


Unauthorized Use Prohibited 


By Accessing, You Are Agree Your Activities to be Monitored and Logged 
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At this time, if user John tries to log in via SSH, he is 
asked to type the OTP. Where is the password? 

Password is generated on the other machine using the 
following command: 


S opiekey 498 mo3726 ext 


Using the MD5 algorithm to compute response. 
Reminder: Don't use opiekey from telnet or dial-in ses- 
sions. Enter secret pass phrase: 


WAS KURD LOG MONA BONE DRUG 


Copy WAS KURD LOG MONA BONE prRuG into the terminal 
where you're trying to log in and asking for a password. 
The Listing 1 depicts the result. 

lf you didn't read the first article, please be informed that 
MATRIX, Attempts, left and Unlock key texts are my own 
application prompts. You can try it by downloading from 
www.iptrace.pl (go to Download and click on a Download 
Locker button). The application is free of charge on the BSD 
Licence. Please send any suggestions and bugs found at 
the Locker via e-mail to locker@iptrace.pl. If you want to 
generate more than one OTP, run the following command. 
Option -n and then a value to indicate the number of OTPs. 


S opiekey -n 5 498 mo3726 ext 


Using the MD5 algorithm to compute response. 
Reminder: Don't use opiekey from telnet or dial-in ses- 
sions. Enter secret pass phrase: 


494: LAY REAL RASH JUJU LANG LINE 
495: SAIL DOCK TILE MIRE SOY NULL 
496: YAM WEAR ROAM FIST TWIN SUE 
497: TRAM CANT FOLK AFRO OVA BAND 
498: WAS KURD LOG MONA BONE DRUG 


[8 WinKey | - {oO} x} 
Challenge /498 mosr26 ext 
Password | creer Hon on 


Response jwas kurd log mona bone drug 


Compute Exit 


Options 
Figure 1. MS Windows WinKey One Time Password generator 


Please bear in mind that it’s not a good solution to gen- 
erate a password on the first system to log into a sec- 


ond one. If you want to have all SSH terminals (systems) 
blocked by OTP use an MS Windows application to gen- 
erate an OTP. See the following screenshot of that ap- 
plication. You can download WinKey from ftp://ftp.irisa.fr/ 
pub/OTP/. 

Note: the OTP generated by OPIE doesn't change the 
real UNIX passwords in master.passwd file. To disable us- 
ing OPIE run the following command. 


S opiepasswd -d John 


To allow logging in for users from specified IP address- 
es or networks via UNIX password and bypass OPIE, 
change the settings in the /etc/opieaccess file. But you 
can still use OTP if needed. So you have two ways to get 
the system. 


OpenBSD OTP by S/Key (One-Time Passwords in 
Everything) 
The S/Key uses a secret pass phrase with challenge. 
Conceptually, the workings of S/Key are similar to OPIE. 
Let's assume that we are logged in to our system via 
SSH. Here are the step-by-step instructions to run the 
OTP generator. 
Initialization (please be logged on as a privileged user, 
root) to create the /etc/skey directory: 


# skeyinit -E 


Re-login as a standard user, for my example the user is 
John, then run the following command. 


# skeyinit 


And output (system requests for the pass phrase for us- 
er John): 


Reminder - Only use this method if you are directly 
connected 
or have an encrypted channel. If you are using telnet, 
hit return now and use skeyinit -s. 

Password: 

[Adding John with md5] 

Enter new secret passphrase: 


Again secret passphrase: 


ID John skey is otp-md5 100 utml167228 
Next login password: SEAL TEEN FROG HAWK WADE RID 


Yes, youre right. It’s almost the same as for OPIE. So, 
it’s easy to go through the rest of the tour. 


How Secure can Secure Shell (SSH) be? 


Listing 2. SSH successful connection screenshot 
Authenticating with public key “imported-openssh-key” 
Passphrase for key “imported-openssh-key”: 
Further authentication required 
Using keyboard-interactive authentication. 
Or o—melo G2 phenilhis 12276 
S/Key Password: 
hast logan: fue Nov 2e 00s42<40 201s trom 192. 15s. 02s 
OpenBsoD S-3 (GENERIC) “fous Tue Mar 12 18-25-25 MDT 2013 
# # 
# # # # # HHH HEHE # HHtTHHE  FREEE 
it # ## it it it it it it it 
# # #¢ # # # tt # HH # tt HHH # # 
# # #¢ # # # # # # # # 
# # # # # # # # # # # 
Ht TH # # # # # HHtTEHE  FREEE 
HEE HH 
# # # t#tHE HEHEHE # # tH HHH # HHH 
# # # # # # # # # # 
# tHHTEH = # # F#ttE # # # tH HF 
# # # F#ttE # HHH HE # # 
# # # # # # # # # # # 
it it # # + F#tEEE  # it it tt HF 
# # 
# # # # # # # # # # tt HF HHtttt Ff # F#ttEE  # # tHE HE 
# ot # # # # ## # # # # # tt # # # # # # 
# #¢ # # ¢# #¢ # # # # # Ht HH # ## # FETTE # # # # 
it # #t#tttt + # # FEFETE F FE F# it # # # + # it 
# # # # # t# # # # # # # # # # ## # 
# # # # # # # # # HHH tHHttt  # # F#tttt Ff # # 
### ### tt HHH 
# # # # # # 
it it # it # 
# # # # t#tHE 
# # # # # # # 
# # # # tt # # +  # # 
## ### ### ### tt HHH 
MATRIX 
5163 760 BY 3556 818784 soso0n OOONS'S 797949 274554 509382 eo ATO 
169866 754128 SS Sg 419526 oie She 749124 B70) 279414 404874 
5) Sao. 5) 260586 209 S05 ISOS 23 7 SAG 958446 665856 Ibs A) Sui) 465210 
O937.85 624825 414144 26323 832734 08823 6377 3 SSI 896436 
INS CTs O2665 TOT CCl 138420 Se TL TAS 70s) 518040 630180 242181 
676926 435033 266652 S15, WAZA) Tess) 1 1 Sy, 456669 490824 BZo5 54 
275486 SbSa lg AY S229 914166 974439 eo 1991 200709 564075 264825 
Co leon Ss 3 Si Zao 821394 889425 Zo S60 SOS) U2 7506 855540 
GS eo) 884286 520020 804681 Ciese od oni oe 203904 903870 681444 
Attempts left: 3. 
Unlock key: 
Terminal unlocked! 
SiGe sls Cycles roma: 
Password: 
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# skey 100 utm113739 

Reminder - Do not use this program while logged in via 
telnet. 

Enter secret passphrase: 


SARA CHIN WATT KNEW CUB SCOT 


Once again, if you want to generate more than one OTP, 
run the following command. Option -n and then a value 
that indicates the number of OTPs. 


utml:<> skey -—n 5 100 wtmll37/3° 

Reminder - Do not use this program while logged in via 
telnet. 

Enter secret passphrase: 

96: DOES BLAT TILT NOLL NARY HUT 

97: WARN TWIG FREE TRAY SIGH AIDE 

98: LENT BURN GEL GOES CHAD LOOT 

99: SHOW AWE TINA LIED WATT WANT 

100: SARA CHIN WATT KNEW CUB SCOT 


Again, we use WinKey to generate OTP (Figure 2). 
The last one change in OpenBSD is to replace one row 
in the login.conf file. See what data should be correct. 


auth-defaults:auth=skey, passwd: 
For security reasons change the second line as well. 


auth-ftp-defaults:auth-ftp=skey, passwd: 


Co winkeye Es 
Challenge Ii 00 utm113/33 


HME MHRRRRARKAKRAAR MRK RAMAN 


Password 


Response | sara chin watt knew cub scot 
Onions | eat _| 


Figure 2. MS Windows WinKey One Time Password generator 


To apply the above changes run the following command. 
# cap _mkdb /etc/login.conf 


If you're not going to use password authorization in the near 
future, delete the password value from the above to enforce 
using the OTP only. It does not work for root, who always 
can get on the system using a standard Unix password. 
Note: we don't generate the OTP for a privileged user, 
root, due to maintenance, to not make the authentication 


References (in order of relevance) 

man opiepasswd (FreeBSD) 

man opiekey (FreeBSD) 

man opieaccess (FreeBSD) 

man skeyinit (OpenBSD) 

man skey (OpenBSD) 

man master.passwd 

www.openssh.org; www.openbsd.org; www.freebsd.org 


track more complicated, and for ease of using an account 
from the console. You have to know that OpenBSD be- 
haves differently than FreeBSD during logging using the 
su command. Even though we have not created the OTP 
for root, OpenBSD asks for it. To prevent this use the fol- 
lowing command when you log in from a standard user. 


# Su -a passwd 


Let’s look for the logging successful process (Listing 2). 

Remember, if a counter is going to O (zero), it’s impor- 
tant to reinitialize the counter again. Use the following 
commands for OpenBSD and FreeBSD respectively, oth- 
erwise you won't be able to log in. 


# skeyinit 


# Opiepasswd -c 


Conclusions 
Using One Time Passwords (OTPs) is a very good ap- 
proach to improving system authorization security. In con- 
junction with public/private keys, Unix passwords and 
some OpenSSH defences, OTP ensures great security 
without too much of a decrease in functionality. 

In the next series you will find out more about: 


¢ VPN tunnelling — creating Virtual Private Networks 
using OpenSSH 

¢ SFTP — known as SSH File Transfer Protocol to op- 
posite of a standard FTP 
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Titaniass award winning Nipper Studio configuration 
auditing tool is helping security consultants and end- 
user organizations worldwide improve their network 
security. Its reports are more detailed than those typically 
produced by scanners, enabling you to maintain a higher 
level of vulnerability analysis in the intervals between 
penetration tests. 


Now used In over 45 countries, Nipper Studio provides a 
thorough, fast & cost effective way to securely audit over 
100 different types of network device. The NSA, FBI, DoD 
& U.S. Treasury already use It, so why not try it for free at 
www.titania.com 
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OPINION: With the UK government in 
collusion with the major search engines to 
censor 100,000 search terms to prevent child 
abuse, is the UK joining the ranks of the 


technological fascists? 


avid Cameron, while no fool, by his authority 
| ) as Prime Minister of the United Kingdom, has 
backed the censorship of 100K search terms al- 
luding to child abuse in collusion with Google, Bing, and 
no doubt other search providers accessible in the UK. 
The exact extent of the legal framework is yet to be for- 
malised, but it is clear that the UK government is mov- 
ing towards a more proactive stance of censorship in a 
populist move to assuage the “something must be done 
to protect us from the Internet” lobby. Of course, the fact 
that political affiliations, terrorism, or whatever the fla- 
vour of the day that offends “the powers that be” may be 
added to this list has escaped those that promote the 
nose of this particular camel that protrudes within the 
tent of content delivery. Personally, | cannot think of 
100 terms that relate to child abuse let alone 100K, so 
my inner skeptic, not unexpectedly, was left incredu- 
lous. A classic case of political disconnect in the mak- 
ing. How many words do Eskimos have for snow? 
Contrary to popular belief, the Internet is a deliv- 
ery system, not some monster with an alterna- 
tive agenda to deprave and corrupt all from 
conceived embryos to the elderly and be- 
yond the grave. It is a reflection of soci- 
ety. On the surface, triggering an alert if 
someone was to type “kiddie porn” in- 
to Google, seems a good way to deal 
with the totally abhorrent desire of an 
individual to have sexual relations with 
prepubescent children. What happens if 
you are a genuine journalist, researcher, 
concerned parent or a medical profes- 
sional? Your browser gets an alert and 
your IP address is committed to a da- 
tabase. Then what? Questions are asked, or worse 
case, a visit by your local police force at 5:00AM to seize 
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all Internet enabled devices, recordable media and a foren- 
sic investigation of every detail of your life and moral cen- 
sure? The Internet is transient — a page can appear and 
disappear within minutes, or in the case of the current Con- 
servative governments’ previous election promises — a few 
years. Thanks for nothing, Google. What is still unclear is 
how much of this data will be passed to other intelligence 
services or bodies via the NSA and GCHQ. 
Let's not be under any illusion here, the watchers are 
already aware of who the culprits are on both 
y | sides of the Atlantic, so this appears to be a 
political move to legitimise censor- 
ship on the coattails of moral panic 
and not a genuine attempt 
to rid society of evil. It will 
be interesting to see if these 
“banned” keywords are ever 
published. 
As _ technologists 
we all know 
that filter- 
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Lady Doth Protest Too Much 


ing search terms and attempting to categorise them in- Unfortunately, the law once again blindly overreaches in 

telligently is a pretty pointless exercise unless you throw _ this regard, as possession in the UK of the worst type of 

massive human resources at it. During the miners’ strike pornography is a strict liability offence (i.e. you got it, you 

in the UK during the 80s, the eavesdropping system moni- —_are guilty). While no cases to my knowledge have reached 

toring UK telephone conversations was overloaded due _ the courts here in the UK, the law is cut and dried — if you 

to the sheer weight of relevant data. | recently installed a have “bad content” on your servers, you are liable. End of 

corporate wide messaging system on our Intranet, andas _ story. No mens rea (state of mind) appeal is allowed under 

a precaution to assuage the naysayers, added a swear fil- __ strict liability cases. So as a system administrator in the 

ter Knowing full well that it was a token gesture. If people _—_ UK, if | find objectionable 3ra party material on my server | 

want to do bad things, they will find a way todo them. This — run the risk of prosecution if | attempt to hand this material 

is IT help-desk 101. The fallacy that technology can be a__ over to the authorities. So what should | do? Delete it and 

moral guardian is rife with miscarriages of justice. Justask say nothing? In theory, no prosecuting authority would be 

any motorist who has been captured speeding by a badly so aggressive as to pursue such a case with a co-oper- 

aimed or calibrated speed gun or, indeed, a customer on __ ating individual but in this age of febrile condemnation of 

the wrong end of a customer services “script”. Technology the mass media and legalism, who knows? If somebody 

is digital, black and white, whereas real life is analogue, a_ wanted to prove a point, all they need do is dump some 

spectrum of colour. Here lies the perpetual paradox and images on acompetitor’s or political opponent’s hard disk 

argument between the spirit and the letter of the law. Un- and make a few phone calls. The rules and ethics that 

fortunately, history has proven that venal individuals can —_ work in the real physical world (e.g. possession of drugs) 
capitalise on this argument, be they defendants, prosecu- does not work with electronic data. 

tors or, notably, governments. In reality, the neighbourhood paedophile is protected. 

So let’s cut to the chase. Child pornography is evil. Any- They are either using strong encryption or are part of a 

one of sound mind caught manufacturing, distributing network that is peer to peer, either electronically or social- 

SS. or consenting to such deeds should be quite rightly — ly. The level of social disgust that is associated with this 

and with full weight, condemned not only in a _ issue means that it is now the holy grail of the blackmailer 

court of law, but also in society. The basis — or the foreign government as sexual preferences, politi- 

of civilisation is innocence, innocent — cal alliance and financial corruption are now regarded as 

until proven guilty and the right issues that are of little social consequence — unlike dur- 

to have a childhood of inno- _ ing the days of the Cold War. To any rational mind, a gov- 

cence. Anything else isa ernment or their intelligence services wanting to widely 

travesty. discredit an individual will aim for smearing with this par- 

ticular human frailty. This adds an interesting dimension 

to the English phrase “Conspiracy or cock-up”. Blackmail 

or media slaughter anyone? So, to truly defeat this evil in 

our society, we need a decent whistle-blowing strategy, 

and properly resourced root and branch investigations, 


Ww ~~ — et, is, not the crude hammer of the law that condemns due 
See my jaa 7" : to content possession irrespective of motive. The 

: Bs ee recent Jimmy Savile scandal proves this, in 

2 ee . a & that victims were scared of coming forward 


and when they did, they were discred- 


y ited or ignored often because of 
+ ea the position of privilege held 
i : by their abusers. Pauper 
a a be or king, for justice to 
‘ SSS} prevail, all need 
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. a — 
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under the law. Sadly, this is not the case. God help an in- 
nocent ISP or a victim under the current legislation. 

David Cameron's febrile attempt at cleaning up the In- 
ternet proves beyond all doubt that he doesn’t under- 
stand the issues. Over 90% of child abuse victims know 
their abuser socially. Granted, the Internet is a medium 
that allows people to build relationships, but to catego- 
rise an individual as deviant by what request they sub- 
mit to a search engine is not only an abuse of process, 
but an abuse of power. And that doesn't take into account 
the malware a reasonably skilled IT engineer could build 
to generate a spoof of an individual’s request. This move 
plays right into the hands of the spammers and the crimi- 
nal underworld, allowing them to blackmail ordinary citi- 
zens with false accusations. “You have been looking at 
illegal content. Send us your credit card details and £250 
or we contact the authorities’. No paedophile is going to 
be searching for the type of content they desire using a 
search engine — it is more likely to be distributed via peer- 
to-peer or stored on a server within the Tor network. The 
truly paranoid would send it via snail mail on an encrypted 
USB stick or CDROM. So this cure will create more prob- 
lems than it solves. 

So what can we do about this evil as a community? 
First of all, we all need to be aware of and identify all the 
different types of low-life that are out there — fraudsters, 
sock-puppets, trolls, soammers, bandwidth abusers and 
copyright infringers, et a/ irrespective of whether we are 
IT professionals or end users. Birds of a feather flock to- 
gether. | am not generally talking about individuals here, 
as we are are probably all guilty at some point of commit- 
ting some of these actions to a lesser degree. Who hasn't 
filled in a web-form with false details or used the corporate 
network to download an MP3 or two? | am talking about 
the communities that make a lifestyle, political or commer- 
cial choice to do such things en-mass on a regular basis 
causing disruption and distress to all. 

We need a mechanism to quickly electronically dis- 
able and deal with these communities in law. If you get 
500 phishing emails a day, that is 500 counts of attempt- 
ed fraud, but will law enforcement take it seriously? Due 
to the distributed nature of networks, while the malware 
causing the problem may be on 500 individuals’ PC’s, it is 
not necessarily true that they are guilty of anything other 
than bad security hygiene. It is the authors and bot-mas- 
ters who are guilty. We need a segregation of legal adult 
content into a XXX domain that is easily blocked by paren- 
tal controls, backed by legislation that pursues the owner 
of the domain (e.g. the content owner) for breach. The 
province of the purchaser can then easily be proved ina 
court of law, absolving the ISP of responsibility. After all, 
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like an estate agent or realtor they are only selling space, 
they are not responsible for the acts that take place inside 
the property. Of course, if the ISP does discover illegal 
activity, they have a duty to report it. Still, as mentioned 
earlier, in the UK at least it is not that easy. The same 
idea could apply for global financial transactions etc., but 
of course certain vested interests want to have their cake 
and eat it, in that they want global freedom without neces- 
sarily any accountability or responsibility. 

So a global Internet wide agreement is probably never 
going to happen. 

Another approach is on a country by country basis. 
Once again, this has its dangers. | don’t want some policy 
maker deciding if | can visit www.ihatemygovernment.org 
(Yes. It exists). China and Google firewalls anyone? Any- 
how, any experienced IT user can proxy or tunnel their 
way around it. 

No, the Internet, like rain, sunshine and death is avail- 
able to everyone, including paedophiles. The maxim ‘| 
disapprove of what you say, but | will defend to the death 
your right to say it’ needs to be revisited and reconsid- 
ered as in 2013 we dont just have words but images and 
video available to all as well. While freedom of expres- 
sion Is vitally important we equally need social, moral and 
legal responsibility, from the tramp to the millionaire. We 
live in a wonderful age, where barriers are collapsing and 
we can connect and understand more than the shallow 
political rhetoric that has dominated the last 2000+ years. 
What matters most is what people and society values — 
in real life and online. Until we get some cohesive action 
and the issue of Internet crime is taken seriously just as 
it would be on the street, WWW will continue to stand for 
Wild Wild West. 
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An ACROS Penetration Test is conducted exactly like a real attack by a skilled, 
motivated adversary — only without the damage. We will find the weakest links 
in your security and use all our knowledge, skills and capabilities to try to 
achieve exactly what your security measures and policies are there to prevent. 
If it sounds difficult, we're interested. 


Experience the ultimate test of your security. 
(After all, the only alternative is to wait for an actual attack.) 


ACROS Security — http://www.acrossecurity.com — security@acrossecurity.com 
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